We forsee a day when Kerberos-based authentication and authorization will be as ubiquitous as TCP/IP-based networking itself.

About - Frequently Asked Questions about the MIT Kerberos Consortium

So, what is Kerberos?

"Kerberos is the name of the three-headed dog from ancient Greek mythology that guarded the gates of Hades. Kerberos is also a network authentication protocol invented at MIT way back in the 1980s. It became an IETF Standard in 1993. MIT released its Kerberos software as Open Source in 1987 and been enhancing it ever since. You can get it for free."

So, what’s so great about it that we still care about this old dog?

"One of the best things about Kerberos is it has strong mutual authentication between client and server, which makes it a very robust defense against phishing and so called, “man in the middle” attacks. Organizations realized this long ago. We see enormous potential to expand Kerberos so consumers can use it too. So this old dog still has a few tricks left."

So, who is using Kerberos?

"Kerberos is built in to all major operating systems, from companies like Microsoft, Apple, Red Hat and Sun as well as others. Kerberos is the authentication mechanism for Microsoft’s Active Directory and even for some devices like the X-Box. The cable TV industry even uses Kerberos to authenticate set-top boxes and modems to their networks."

So, how many people are using Kerberos?

"Since MIT doesn’t sell Kerberos, and other organizations have produced their own software for it, so it’s really hard to say for sure how many people are using Kerberos. We know of one organization using the MIT Kerberos Software with over 50 million unique logons per month. But if you add up the users of all the various implementations, including Microsoft’s, a conservative estimate of how many are using Kerberos is, probably well over 100 million people, worldwide."

So basically, everyone who has a Windows machine or a Mac is using Kerberos?

"We wish. Everyone who is using a Windows machine or a Mac has Kerberos installed as part of the operating system, but they would only be using it if they were part of an organization that uses Kerberos for user authentication. Kerberos is mostly an enterprise application. Its not used very frequently by individual consumers."

So, why are you starting this Consortium now?

"Kerberos has become one of the most widely adopted authentication methods in the history of computer networks. It’s become successful beyond MIT’s internal capacity to respond to the world’s demands for development, testing and support. So we need a new organizational structure that can accmodate the demand."

So what’s MIT going to do?

"MIT will take responsibility for working with all of the many vendors who incorporate Kerberos into their products, and the thousands of organizations who use Kerberos to protect millions of users and billions of dollars. MIT will also act as a neutral party to bring all these stakeholders together for interoperability testing and to develop proposals for new standards through the IETF. In return we ask organizations to contribute money to fund our work together. MIT plans use the majority of this funding to hire engineers to work on our greatest mutual challenges."

Are you going to make any significant improvements to Kerberos?

"We want to expand Kerberos in three directions. We want to make it available on more devices, expand the environments in which it is useful, and expand Kerberos to work better with related authentication and authorization technologies. As an example, if Kerberos were available on all devices it would be more attractive in the health care industry as a mechanism for securing privacy of health records while making the system easy to use."

Is MIT going to start charging fees to use Kerberos?

"No. The Kerberos software we develop for authentication has been Open Source, and available for free since 1987, and it will continue to be so."

So, what does MIT get out of this? Is there a pony in here for you?

"We like to solve really hard problems. We think creating a universal authentication method for the world’s computer networks will be a really hard problem. We’re not sure who else could do it. We do believe it is solvable, and that the solution will be of enormous benefit to the world for a long, long time. At which point we will ride our pony off into the sunset."

So, how does the MIT Kerberos Consortium fit in with things like the Liberty Alliance?

"We believe there is significant opportunity to work with Liberty and other SAML based formats. One area in which Liberty and Kerberos can work together is that Kerberos could carry SAML assertions to provide authorization information. Another way in which these technologies can work together is that Kerberos can be used as a mechanism to obtain SAML assertions. Ultimately, this work will allow Liberty to be used in client-server environments where Kerberos works best today and to allow Kerberos to take advantage of the expressive power of SAML and Liberty. This is one of the many projects where the initial designs have been sketched out but where work cannot proceed without the additional funding provided by the consortium."

How about Open ID? Where does that fit in?

"There is a similar story for Open ID. Last year there was initial discussion between MIT and those involved in Open ID to confirm that there was mutual interest and ways we could work together. However, again, absent the consortium there is insufficient resources within MIT to realize this cooperation."

Didn’t you guys have some kind of big falling out with Microsoft around Kerberos?

"We read about that, but MIT and Microsoft have a long history of working together on Kerberos. This history starts well before the release of Windows 2000. Since then, MIT and Microsoft have been working on standardizing some of the features such as realm referral that enhance the ease of configuration of the Active Directory product. To this day, MIT and Microsoft continue to work together on Kerberos standards. The most recent effort involves a joint proposal to protect Kerberos against weak passwords and provide enhanced user privacy. MIT and Microsoft have made a proposal and are working within the standards community to build consensus around this proposal."